CVE-2026-46446 Overview
CVE-2026-46446 is a SQL injection vulnerability in SOGo, an open-source groupware server providing calendar, address book, and webmail services. The flaw exists in versions before 5.12.7 when SOGo is configured with PostgreSQL or MariaDB backends and stores cleartext passwords. The vulnerability resides in the changePasswordForLogin routine, where unsanitized input flows into the c_password = '%@' SQL fragment. Authenticated attackers can inject arbitrary SQL during password change operations. The issue is classified under CWE-89: Improper Neutralization of Special Elements used in an SQL Command.
Critical Impact
Authenticated attackers can manipulate SQL queries through the password change endpoint, potentially exposing or modifying credential data stored in the SOGo backend database.
Affected Products
- SOGo versions prior to 5.12.7
- SOGo deployments using PostgreSQL backend with cleartext password storage
- SOGo deployments using MariaDB backend with cleartext password storage
Discovery Timeline
- 2026-05-14 - CVE-2026-46446 published to NVD
- 2026-05-14 - Last updated in NVD database
- SOGo v5.12.7 - Vendor releases patched version addressing the SQL injection
Technical Details for CVE-2026-46446
Vulnerability Analysis
The vulnerability stems from improper sanitization of user-supplied input during password change operations in SOGo. The changePasswordForLogin function constructs a SQL statement that embeds the new password value directly into a query fragment matching the pattern c_password = '%@'. When SOGo is configured to store cleartext passwords with a PostgreSQL or MariaDB backend, the password value is passed to the database without proper parameterization or escaping.
An authenticated user with permission to invoke a password change can craft a payload containing SQL metacharacters. The injected content terminates the intended string literal and appends attacker-controlled SQL clauses. This allows reading or modifying data in the SOGo authentication tables, including other users' credentials when stored in cleartext.
The attack complexity is rated high because exploitation requires specific deployment conditions: a SQL-backed user source and cleartext password storage. LDAP-backed deployments and configurations using hashed password storage are not exposed through this code path.
Root Cause
The root cause is the use of string formatting to build a SQL UPDATE statement instead of using parameterized queries or prepared statements. The %@ format specifier interpolates the raw password string into the query, providing no separation between code and data. Reviewing the upstream patch shows the fix applies proper escaping for the password value before it reaches the SQL layer.
Attack Vector
Exploitation occurs over the network through SOGo's authenticated password change interface. The attacker must hold valid credentials for an account permitted to change its password. The malicious payload is delivered as the new password value, which the backend then embeds into the vulnerable UPDATE statement against the SOGo user table.
No verified public proof-of-concept code is available. Refer to the SOGo v5.12.7 release notes and the Debian bug tracker discussion for additional technical context.
Detection Methods for CVE-2026-46446
Indicators of Compromise
- Unexpected modifications to the sogo_users table or equivalent SOGo authentication tables in PostgreSQL or MariaDB
- Database error log entries referencing syntax errors during password change operations
- Password change requests containing single quotes, semicolons, or SQL keywords such as UNION, SELECT, or --
- Anomalous spikes in calls to the SOGo password change endpoint from a single authenticated account
Detection Strategies
- Inspect SOGo application logs for password change requests with non-printable or SQL metacharacter content in the password field
- Enable PostgreSQL or MariaDB query logging and review UPDATE statements targeting the SOGo user table for unexpected clauses
- Correlate authentication failures, password changes, and subsequent privileged actions across the same account
Monitoring Recommendations
- Monitor the SOGo running version and alert when instances drift below 5.12.7
- Track outbound database connections from the SOGo service for query patterns inconsistent with normal application behavior
- Audit which user sources are configured with cleartext password storage and flag those deployments for prioritized patching
How to Mitigate CVE-2026-46446
Immediate Actions Required
- Upgrade SOGo to version 5.12.7 or later on all production and staging hosts
- Identify any SOGo deployments configured to store cleartext passwords and transition to hashed password storage
- Rotate all SOGo user passwords after patching if cleartext storage was previously enabled, since credentials may have been exposed
- Review database audit logs for the period before patching to identify potential injection attempts
Patch Information
The SOGo project addressed this vulnerability in release 5.12.7. The fix is documented in the SOGo v5.12.7 release announcement and the corresponding upstream pull request. Debian users should track updates via the Debian bug tracker.
Workarounds
- Disable cleartext password storage in SOGo configuration and switch the authentication source to use hashed credentials
- Restrict access to the SOGo password change endpoint behind a reverse proxy with input validation rules that block SQL metacharacters
- Use an LDAP-backed user source instead of direct SQL authentication where feasible
# Verify installed SOGo version on Debian-based systems
dpkg -l | grep sogo
# Example: confirm cleartext password storage is disabled in sogo.conf
# Ensure the user source does not include: userPasswordAlgorithm = plain;
grep -i "userPasswordAlgorithm" /etc/sogo/sogo.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
